Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

Size: px

Start display at page:

Download "Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic"

Ada Lang
6 years ago
Views:

1 Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1

2 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption 2

3 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption CBC/HMAC RC4 (stream cipher) (new: ChaCha20/Poly1305) AES-GCM 3

4 CBC / HMAC Arbitrary padding in SSLv3 Implicit IVs in TLS 1.0 MAC-then-Pad-then-Encrypt 2002 Padding Oracles 5

5 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption CBC/HMAC RC4 (stream cipher) (new: ChaCha20/Poly1305) AES-GCM 7

6 RC4 Generates a key stream Some bytes more likely to occur 2013: AlFardan et al. RFC 7465: Prohibiting RC4 Cipher Suites 8

7 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption CBC/HMAC RC4 (stream cipher) (new: ChaCha20/Poly1305) AES-GCM 9

8 TLS Encryption 1. Asymmetric key exchange RSA, DHE, ECDHE 2. Symmetric encryption CBC/HMAC RC4 (stream cipher) (new: ChaCha20/Poly1305) AES-GCM 10

9 Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

10 AES Counter Mode Nonce Counter J 1 J 2 AES-Enc AES-Enc P 1 P 2 C 1 C 2 13

11 Bit Flipping in AES Counter Mode J 1 J 2 AES-Enc AES-Enc C 1 C 2 P 1 P 2 Attacker can modify messages 14

12 AES-GCM GCM Galois Counter Mode AEAD (Authenticated Encryption with Additional Data) Only in TLS 1.2 Combination of Counter Mode and GHASH authentication Computed over Galois field 15

13 AES-GCM J 0 J 1 J 2 AES-Enc AES-Enc AES-Enc P 1 P 2 C 1 C 2 Gmul H Gmul H Gmul H Hash key H A len(a) len(c) Encryption of 128 zero bits: H=Enc(0) Gmul H Output: C T T 16

14 GCM: Opinions of Cryptographers "Do not use GCM. Consider using one of the other authenticated encryption modes, such as CWC, OCB, or CCM." (Niels Ferguson) "We conclude that common implementations of GCM are potentially vulnerable to authentication key recovery via cache timing attacks." (Emilia Käsper, Peter Schwabe, 2009) "AES-GCM so easily leads to timing side-channels that I'd like to put it into Room 101." (Adam Langley, 2013) "The fragility of AES-GCM authentication algorithm" (Shay Gueron, Vlad Krasnov, 2013) "GCM is extremely fragile" (Kenny Paterson, 2015) 17

15 Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

16 The Forbidden Attack Nonce: Number used once TLS: 8 Byte / 64 Bit nonce Joux (2006): Nonce reuse allows an attacker to recover the authentication key Attacker can modify messages 19

17 Consider one block H = AES (0) J 0 AES-Enc J 1 AES-Enc T = ( C 1 * H + L) * H + AES (J 0 ) P 1 T = C 1 * H 2 + L * H + AES (J 0 ) C 1 Gmul H Unknown values: H AES (J 0 ) len(a) len(c) Gmul H T 21

18 Duplicate nonce H = AES (0) J 0 AES-Enc J 1 AES-Enc T 1 = C 1,1 * H 2 + L 1 * H + AES (J 0 ) T 2 = C 2,1 * H 2 + L 2 * H + AES (J 0 ) P 1 C 1 Gmul H T 1 - T 2 = (C 1,1 C 2,1 ) * H 2 + (L 1 L 2 ) * H len(a) len(c) Gmul H T 22

19 Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario

20 TLS 1.2 / RFC 5288 "Each value of the nonce_explicit must be distinct for each distinct invocation of the GCM encrypt function for any fixed key. Failure to meet this uniqueness requirement can significantly degrade security. The nonce_explicit may be the 64-bit sequence number. Two problems: Random nonces: Collision probability Repeating nonces 24

21 Internet-wide Scan 184 hosts with repeating nonces Radware (Cavium chip) Several pages from VISA Europe hosts with random looking nonces A10, IBM Lotus Domino (both published updates) Sangfor (no response) More devices that we were unable to identify 26

22 Example: Radware OpenSSL 1.0.1j f118cd0fa6ff5a15 f118cd0fa6ff5a16 f118cd0fa6ff5a74 e_aes.c (EVP_CIPHER_CTX_ctrl/aes_gcm_ctrl): if (c->encrypt && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) return 0; t1_enc.c: if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE)); EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); } 27

23 Open Source Libraries Botan, BouncyCastle, MatrixSSL, SunJCE, OpenSSL No real problems Counter overflows in Botan and MatrixSSL 28

24 Overview 1. AES-GCM 2. The Forbidden Attack 3. Evaluation 4. Attack Scenario 29

25 Attacking Vulnerable Websites GET visa.dk/index.html HTTP OK <html> <script> </script> </html> HTTP OK <html> <h1>hello Visa</h1> </html> 30

26 Demo 32

27 Attacking mi5.gov.uk 33

28 Conclusions TLS 1.2: no guidance how to use nonces correctly Some people get it wrong Implicit nonces needed: Chacha20/Poly1305 and TLS 1.3 based on record number Better test tools for TLS implementation flaws 34

Misuse-resistant crypto for JOSE/JWT

Misuse-resistant crypto for JOSE/JWT Neil Madden OAuth Security Workshop, 2018 1 JOSE Content Encryption Methods Provide authenticated encryption AES-CBC with HMAC-SHA2 Requires random 128-bit IV Must